System and method for malware and network reputation correlation

ABSTRACT

A method is provided in one example embodiment and includes receiving a reputation value based on a hash of a file making a network connection and on a network address of a remote end of the network connection. The network connection may be blocked if the reputation value indicates the hash or the network address is associated with malicious activity. In more specific embodiments, the method may also include sending a query to a threat analysis host to request the reputation value. Additionally or alternatively the reputation value may be based on query patterns in particular embodiments. In yet more specific embodiments, the network connection may be an inbound connection and/or an outbound connection, and the reputation value may be based on a file reputation associated with the hash and a connection reputation associated with the network address of the remote end of the network connection.

CROSS-REFERENCE TO RELATED APPLICATION

This Application is a divisional, (and claims the benefit under 35U.S.C. §120 and §121) of U.S. application Ser. No. 13/052,739, filedMar. 21, 2011 and entitled SYSTEM AND METHOD FOR MALWARE AND NETWORKREPUTATION CORRELATION. The disclosure of the prior Application isconsidered part of and is incorporated by reference in the disclosure ofthis Application.

TECHNICAL FIELD

This disclosure relates in general to the field of network security, andmore particularly, to a system and a method for malware and networkreputation correlation.

BACKGROUND

The field of network security has become increasingly important intoday's society. The Internet has enabled interconnection of differentcomputer networks all over the world. The ability to effectively protectand maintain stable computers and systems, however, presents asignificant obstacle for component manufacturers, system designers, andnetwork operators. This obstacle is made even more complicated due tothe continually-evolving array of tactics exploited by maliciousoperators. Once malicious software (e.g., a bot) has infected a hostcomputer, a malicious operator may issue commands from a remote computerto control the malicious software. The software can be instructed toperform any number of malicious actions such as, for example, sendingout spam or malicious emails from the host computer, stealing sensitiveinformation from a business or individual associated with the hostcomputer, propagating to other host computers, and/or assisting withdistributed denial of service attacks. In addition, the maliciousoperator can sell or otherwise give access to other malicious operators,thereby escalating the exploitation of the host computers. Securityprofessionals need to develop innovative tools to combat such tacticsthat allow malicious operators to exploit computers.

BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying figures, whereinlike reference numerals represent like parts, in which:

FIG. 1 is a simplified block diagram illustrating an example embodimentof a network environment in which malware and network reputation may becorrelated for network protection in accordance with this specification;

FIG. 2 is a simplified block diagram illustrating additional detailsassociated with one potential embodiment of the network environment, inaccordance with this specification;

FIG. 3 is a simplified flowchart illustrating example operationsassociated with an endhost in one embodiment of a network environment inaccordance with this specification;

FIG. 4 is a simplified flowchart illustrating example operationsassociated with processing a reputation query in one embodiment of anetwork environment in accordance with this specification;

FIG. 5 is a simplified block diagram that illustrates potentialoperations associated with an example attack in one embodiment of anetwork environment;

FIG. 6 is a simplified table that further illustrates some of thedetails associated with the example attack in the embodiment of thenetwork environment of FIG. 5; and

FIG. 7 is a simplified block diagram of another set of potentialoperations associated with an attack in an embodiment of a networkenvironment according to this specification.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

A method is provided in one example embodiment and includes receiving areputation value based on a hash of a file making a network connectionand on a network address of a remote end of the network connection. Thenetwork connection may be blocked if the reputation value indicates thehash or the network address is associated with malicious activity. Inmore specific embodiments, the method may also include sending a queryto a threat analysis host to request the reputation value. Additionallyor alternatively, the reputation value may be based on query patterns inparticular embodiments. In yet more specific embodiments, the networkconnection may be an inbound connection and/or an outbound connection,and the reputation value may be based on a file reputation associatedwith the hash and a connection reputation associated with the networkaddress of the remote end of the network connection.

Example Embodiments

Turning to FIG. 1, FIG. 1 is a simplified block diagram of an exampleembodiment of a network environment 10 in which malware and networkreputation may be correlated for network protection. Network environment10 includes Internet 15, endhosts 20 a and 20 b, remote hosts 25 a and25 b, and a threat analysis host 30. In general, endhosts 20 a-b may beany type of termination point in a network connection, including but notlimited to a desktop computer, a server, a laptop, a mobile telephone,or any other type of device that can receive or establish a connectionwith a remote host, for example between any two ports 35 a-f. Endhost 20a may execute applications 40 a-b and reputation query 42 a; endhost 20b may execute application 40 c and reputation query 42 b. Remote hosts25 a-b generally represent any type of computer or other device that maybe compromised by malicious software (“malware”), which may be under thecontrol of a computer or device, such as a command and control (C&C)server 45. Each of endhosts 20 a-b, remote hosts 25 a-b, threat analysishost 30, and C&C server 45 may have associated Internet Protocol (IP)addresses.

Each of the elements of FIG. 1 may couple to one another through simpleinterfaces or through any other suitable connection (wired or wireless),which provides a viable pathway for network communications.Additionally, any one or more of these elements may be combined orremoved from the architecture based on particular configuration needs.Network environment 10 may include a configuration capable oftransmission control protocol/Internet protocol (TCP/IP) communicationsfor the transmission or reception of packets in a network. Networkenvironment 10 may also operate in conjunction with a user datagramprotocol/IP (UDP/IP) or any other suitable protocol where appropriateand based on particular needs.

For purposes of illustrating the techniques of the system for networkprotection against malicious software, it is important to understand theactivities occurring within a given network. The following foundationalinformation may be viewed as a basis from which the present disclosuremay be properly explained. Such information is offered earnestly forpurposes of explanation only and, accordingly, should not be construedin any way to limit the broad scope of the present disclosure and itspotential applications.

Typical network environments used in organizations and by individualsinclude the ability to communicate electronically with other networksusing, for example, the Internet to access web pages hosted on serversconnected to the Internet, to send or receive electronic mail (i.e.,email) messages, or to exchange files with end users or serversconnected to the Internet. Malicious users are continuously developingnew tactics using the Internet to spread malware and to gain access toconfidential information.

Tactics that represent an increasing threat to computer security ofteninclude botnets, which have become a serious Internet security problem.In many cases they employ sophisticated attack schemes that include acombination of well-known and new vulnerabilities. Botnets generally usea client-server architecture where a type of malicious software (i.e., abot) is placed on a host computer and communicates with a command andcontrol server, which may be controlled by a malicious user (e.g., abotnet operator). Usually, a botnet is composed of a large number ofbots that are controlled by the operator using a C&C protocol throughvarious channels, including Internet Relay Chat (IRC) and peer-to-peer(P2P) communication. The bot may receive commands from the command andcontrol server to perform particular malicious activities and,accordingly, may execute such commands. The bot may also send anyresults or pilfered information back to the command and control server.

Botnet attacks generally follow the same lifecycle. First, desktopcomputers are compromised by malware, often by drive-by downloads,Trojans, or un-patched vulnerabilities. The malware may then subvertthese computers into bots, giving a botmaster control over them. Theterm “malware” generally includes any software designed to access and/orcontrol a computer without the informed consent of the computer owner,and is most commonly used as a label for any hostile, intrusive, orannoying software such as a computer virus, spyware, adware, etc. Oncecompromised, the computers may then be subverted into bots, giving abotmaster control over them. The botmaster may then use these computersfor malicious activity, such as spamming. In addition to receivingcommands to perform malicious activities, bots also typically includeone or more propagation vectors that enable it to spread within anorganization's network or across other networks to other organizationsor individuals. Common propagation vectors include exploiting knownvulnerabilities on hosts within the local network and sending maliciousemails having a malicious program attached or providing malicious linkswithin the emails.

Existing firewall and network intrusion prevention technologies aregenerally deficient for recognizing and containing botnets. Bots areoften designed to initiate communication with the C&C server and tomasquerade as normal web browser traffic. Bots may be crafted with a C&Cprotocol that makes the bot appear to be making normal networkconnections to a web server. For example, a bot may use a port typicallyused to communicate with a web server. Such bots, therefore, may not bedetected by existing technologies without performing more detailedpacket inspection of the web traffic. Moreover, once a bot isdiscovered, the botnet operator may simply find another way tomasquerade network traffic by the bot to continue to present as normalweb traffic. More recently, botnet operators have crafted bots to useencryption protocols such as, for example, secure socket layer (SSL),thereby encrypting malicious network traffic. Such encrypted traffic mayuse a Hypertext Transfer Protocol Secure (HTTPS) port such that only theendpoints involved in the encrypted session can decrypt the data. Thus,existing firewalls and other network intrusion prevention technologiesare unable to perform any meaningful inspection of the web traffic.Consequently, bots continue to infect host computers within networks.

Some reputation systems can offer a viable defense to particularbotnets. In general, a reputation system monitors activity and assigns areputation value or score to an entity based on its past behavior. Thereputation value may denote different levels of trustworthiness on thespectrum from benign to malicious. For example, a connection reputationvalue (e.g., minimal risk, unverified, high risk, etc.) may be computedfor a network address based on connections made with the address oremail originating from the address. Connection reputation systems may beused to reject email or network connections with IP addresses known orlikely to be associated with malicious activity, while file reputationsystems can block activity of applications having hashes known or likelyto be associated with malicious activity. However, connection reputationlookups are driven purely by network traffic and file reputation lookupsdo not consider any network traffic.

Other software security technology focused on preventing unauthorizedprogram files from executing on a host computer may have undesirableside effects for end users or employees of a business or otherorganizational entity. Network or Information Technology (IT)administrators may be charged with crafting extensive policies relevantto all facets of the business entity to enable employees to obtainsoftware and other electronic data from desirable and trusted networkresources. Without extensive policies in place, employees may beprevented from downloading software and other electronic data fromnetwork resources that are not specifically authorized, even if suchsoftware and other data facilitate legitimate and necessary businessactivities. In addition, such systems may be so restrictive that ifunauthorized software is found on a host computer, any host computeractivities may be suspended pending network administrator intervention.For businesses, this type of system may interfere with legitimate andnecessary business activities, resulting in worker downtime, lostrevenue, significant Information Technology (IT) overhead, and the like.

In accordance with one embodiment, network environment 10 can overcomethese shortcomings (and others) by correlating file and connectionreputation. A file hash and network address can be submitted for areputation lookup when an endhost attempts to establish a connectionwith a remote host. Reputation information for both the hash and theaddress can then be analyzed for potential threats, and appropriatepolicy action can be implemented. Note that a “file,” as that term isused herein, broadly includes any unit of data stored in a computer witha single name. In the context of network security, a file is often anexecutable file comprising instructions that can be understood andprocessed on a computer, and may further include library modules loadedduring execution. Such an executable file is also commonly referred toas an application, software, program file, module, macro, and the like.

For example, IP addresses that are contacted by known malicious hashesmay be identified as possible C&C servers or botnet update locations,and hashes that contact known malicious IP addresses may be associatedwith malware. Furthermore, such hashes may also enable theidentification of legitimate applications that have been exploited. If anew exploit in a benign application causes the application to downloadcontent from a particular IP address, for instance, a surge in queriesfrom the application can link together the hash with the malicious IPaddress. Thus, correlation between the two reputation systems enablesnetwork locations to be associated with particular malware and viceversa; knowledge of one can provide knowledge of the other. Moreover,unknown applications can be identified as benign by observing that theirbehavior is consistent with other benign applications. For example,known hashes for a web browser may expose a certain behavior, such ascontacting various remote machines on ports 80 and 443 or having atypical inter-arrival time between new connections, etc. If a new hashis observed with similar behavioral traits, it can be deduced that thehash is likely to be a web browser as well.

Turning to FIG. 2, FIG. 2 is a simplified block diagram illustratingadditional details associated with one potential embodiment of networkenvironment 10. FIG. 2 includes Internet 15, endhosts 20 a-b, remotehost 25 a, and threat analysis host 30. Each of these elements mayinclude a respective processor 50 a-d, a respective memory element 55a-d, and various software elements. More particularly, applications 40 aand 40 c and reputation query modules 42 a-b may be hosted by endhosts20 a-b, analyzer module 60 may be hosted by threat analysis host 30, andbot 65 may be hosted by remote host 25 a.

In one example implementation, endhosts 20 a-b, remote host 25 a, and/orthreat analysis host 30 are network elements, which are meant toencompass network appliances, servers, routers, switches, gateways,bridges, loadbalancers, firewalls, processors, modules, or any othersuitable device, component, element, or object operable to exchangeinformation in a network environment. Network elements may include anysuitable hardware, software, components, modules, interfaces, or objectsthat facilitate the operations thereof. This may be inclusive ofappropriate algorithms and communication protocols that allow for theeffective exchange of data or information. However, endhosts 20 a-b maybe distinguished from other network elements as they tend to serve as aterminal point for a network connection, in contrast to a gateway orrouter. Endhosts are also inclusive of wireless network endpoints, suchas i-Phones, i-Pads, Android phones, and other similartelecommunications devices.

In regards to the internal structure associated with network environment10, each of endhosts 20 a-b, remote host 25 a, and/or threat analysishost 30 can include memory elements (as shown in FIG. 2) for storinginformation to be used in the operations outlined herein. Additionally,each of these devices may include a processor that can execute softwareor an algorithm to perform activities as discussed herein. These devicesmay further keep information in any suitable memory element [randomaccess memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.], software,hardware, or in any other suitable component, device, element, or objectwhere appropriate and based on particular needs. Any of the memory itemsdiscussed herein should be construed as being encompassed within thebroad term ‘memory element.’ The information being tracked or sent byendhosts 20 a-b, remote host 25 a, and/or threat analysis host 30 couldbe provided in any database, register, control list, or storagestructure, all of which can be referenced at any suitable timeframe. Anysuch storage options may be included within the broad term ‘memoryelement’ as used herein. Similarly, any of the potential processingelements, modules, and machines described herein should be construed asbeing encompassed within the broad term ‘processor.’ Each of the networkelements can also include suitable interfaces for receiving,transmitting, and/or otherwise communicating data or information in anetwork environment.

In one example implementation, endhosts 20 a-b, remote host 25 a, and/orthreat analysis host 30 include software (e.g., as part of analyzermodule 60, etc.) to achieve, or to foster, operations as outlinedherein. In other embodiments, such operations may be carried outexternally to these elements, or included in some other network deviceto achieve the intended functionality. Alternatively, these elements mayinclude software (or reciprocating software) that can coordinate inorder to achieve the operations, as outlined herein. In still otherembodiments, one or all of these devices may include any suitablealgorithms, hardware, software, components, modules, interfaces, orobjects that facilitate the operations thereof.

Note that in certain example implementations, the functions outlinedherein may be implemented by logic encoded in one or more tangible media(e.g., embedded logic provided in an application specific integratedcircuit [ASIC], digital signal processor [DSP] instructions, software[potentially inclusive of object code and source code] to be executed bya processor, or other similar machine, etc.). In some of theseinstances, memory elements [as shown in FIG. 2] can store data used forthe operations described herein. This includes the memory elements beingable to store software, logic, code, or processor instructions that areexecuted to carry out the activities described herein. A processor canexecute any type of instructions associated with the data to achieve theoperations detailed herein. In one example, the processors [as shown inFIG. 2] could transform an element or an article (e.g., data) from onestate or thing to another state or thing. In another example, theactivities outlined herein may be implemented with fixed logic orprogrammable logic (e.g., software/computer instructions executed by aprocessor) and the elements identified herein could be some type of aprogrammable processor, programmable digital logic (e.g., a fieldprogrammable gate array [FPGA], an erasable programmable read onlymemory (EPROM), an electrically erasable programmable ROM (EEPROM)) oran ASIC that includes digital logic, software, code, electronicinstructions, or any suitable combination thereof.

FIG. 3 is a simplified flowchart 300 illustrating example operationsassociated with an endhost in one embodiment of network environment 10.An application on an endhost, such as application module 20 a, attemptsto establish a connection with a remote host, either by initiating aconnection to the remote host at 305 a for an outbound connection orreceiving a connection from the remote host at 305 b for an inboundconnection. For example, a user on a workstation may use a web browserto visit a particular website at 305 a. A reputation query may then besent to a reputation system or threat analysis host at 310. In certainembodiments, the reputation query may be generated by a separate modulethat can intercept network communications, such as reputation querymodule 42 a. The query may include network addresses and a hash of theapplication, as well as other connection information such as thetransport protocol. Network addresses generally include data thatidentifies both the endhost and the remote end of the connection, suchas the local (endhost) IP address and port and the remote host IPaddress and port. The reputation query can be processed and a responsereceived at 315. The response may include a reputation value, which candenote different levels of trustworthiness on the spectrum from benignto malicious based on the reputation of the hash and/or the networkaddress. The response can indicate whether the connection with theremote host should be allowed at 320. If the query response indicatesthat the connection is probably benign, then the connection is allowedat 325 a, but if the response indicates that the connection may bemalicious, then appropriate action may be taken based on policy. Forexample, appropriate action may include blocking the connection, as at325 b. Alternatively or additionally, the user may be alerted or theactivity may be recorded in a log for subsequent forensic analysis.

FIG. 4 is a simplified flowchart 400 illustrating example operationsassociated with processing a reputation query in one embodiment ofnetwork environment 10, as may be done at 315 of flowchart 300. Areputation query may be received at 405. The reputation query generallyincludes information about a connection initiated or received by anendhost. For example, the query may include the IP address and port ofthe endhost and of a remote host, a hash of the application attemptingto initiate or accept a connection, and the transport protocol of theconnection. The query can be processed and a response sent at 415. Moreparticularly, the connection information may be analyzed to determine ifthe IP address of the remote host or the application hash is known to beassociated with malicious activity at 420 and 425. Analysis of querypatterns and existing reputation data may also be examined at 430 toidentify potentially malicious connections in real-time.

FIG. 5 is a simplified block diagram that illustrates potentialoperations associated with an example attack in one embodiment ofnetwork environment 10. This particular example attack is based on aninfamous incident commonly known as “Operation Aurora.” The attack isinitiated when a target computer running a messaging client, such as anemail client or instant messaging client, attempts to connect to amessage server and retrieve a malicious message.

In this embodiment of network 10, the target computer first queries athreat analyzer at 505 a before connecting to the message server. Thequery includes certain connection attributes, such as the name of thefile attempting to establish the connection, the hash or checksum of thefile, the network address of the connection source, and the networkaddress of the connection destination. Note that the connection sourceand connection destination are relative concepts that merely representopposite ends (local and remote) of a network connection. The threatanalyzer evaluates the attributes to identify potential threats, whichmay be recognized for example by reputation data associated with thefile hash, the address of the connection source, or the address of theconnection destination. At 505 b, a response to the query is returned tothe client. The connection may be blocked or allowed based on theresponse. In this example, the messaging client is recognized as abenign file initiating a connection from an address that has not beenidentified as compromised, and the address of the message server is alsorecognized as benign. Consequently, this connection may be allowed at505 c and the message retrieved at 505 d.

For purposes of illustrating this attack further, it can be assumed thata user clicks on a hypertext link in the retrieved message, whichinitiates a web browser process for opening a document on a remote webserver. Another query may be sent at 510 a and a response returned at510 b. The connection may be blocked or allowed based on the response.For example, the connection may be blocked if the connection destinationaddress (i.e., the address of the remote web server) has previously beenassociated with malicious activity. But for illustrating the attackfurther, it can be assumed that the connection destination address isnot known as a malicious address, and the connection may be allowed.Thus, the web browser can connect to the remote web server at 510 c andretrieve the document from the server at 510 d.

In this example, the document contains code that exploits a flaw in theweb browser, which causes the web browser to initiate a connection witha second malicious server. Before connecting to this malicious server,though, another query may be sent at 515 a and a response returned at515 b. Based on the response, the connection may be blocked or allowed.Again assuming for purposes of illustration that the connection isallowed, though, the web browser may connect to the malicious machine at515 c, which can transfer a malicious file to the target computer at 515d.

Once installed on the target computer, the malicious file may attempt toconnect to a remote server, such as a command and control (C&C) server.However, a query may be first sent to threat analyzer at 520 a and aresponse returned at 520 b. Based on the response, the connection mayagain be blocked or allowed. If the connection is allowed, the remoteserver may effectively control the target machine over this connectionat 520 c-d. For example, the remote server may listen for incomingconnections to the target computer and install additional maliciousfiles on computers that connect to the target computer at 525 and 530.

FIG. 6 is a simplified table 600 that further illustrates some of thedetails associated with the example attack in one embodiment of networkenvironment 10 illustrated in FIG. 5. More specifically, FIG. 6illustrates some of the potential connection attributes that may beincluded in the queries from the target computer. Table 600 includes aFilename column 605, a Hash column 610, a Source column 615, and aDestination column 620. Filename 605 represents the name of a fileattempting to open or accept a network connection. Hash 610 represents ahash value of the file attempting to open or accept the networkconnection, such as an MD5 checksum value of the file. Source 615includes the network address associated with the file attempting to openthe network connection; Destination 620 represents the network addressof the file accepting the network connection.

Thus, to further illustrate the example of FIG. 5, the messaging clientmay be MSN Messenger, which is commonly named “msnmsgr.exe,” and may forexample have a hash value of 0x03D3F8CEEF2C84D5CCDD6EEA9720AA8E, and anIP address of 172.27.2.49. If the messaging server has an IP address of123.45.67.253:7001, then the query at 505 a may include connectionattributes 625. The web browser used at 510 a-d may be, for example,Internet Explorer, which is commonly named “iexplore.exe,” and may havea hash value of 0x02FF22F3AF0108DA2A563ABC9867049F. Since the webbrowser is also running on the target computer, it may have the same IPaddress as the message client, in this example 172.27.2.49. If theremote web server has an IP address of 123.69.82.21:80, then the queryat 510 a may include attributes 630. Similarly, if the second maliciousserver has an IP address of 123.69.82.20:80, then the query at 515 a mayinclude attributes 635. The malicious file transferred to the targetcomputer at 515 d may be named “rasmon.dll” with a hash value of0x0F9C5408335833E72FE73E6166B5A01B, and may attempt to connect to a C&Cserver having an IP address of 123.69.82.26:443, for example.Accordingly, the query at 520 a may include attributes 640. Lastly, theremote server may, for example, run a program called netcat (“nc.exe”)having a hash value of 0xAB41B1E2DB77CEBD9E2779110EE3915D to acceptincoming control connections to the target computer. Thus, if anothercomputer on the local network having an IP address of 172.27.2.83attempts to connect to the target computer, a query having attributes645 may be sent, and likewise, if a third computer having an address of172.27.2.21 attempts to connect to the target computer, a query havingattributes 650 may be sent. If the remote server successfullyestablishes a connection with netcat, then additional malicious filesmay be installed on the second or third computer. Note that these filesneed not be identical to the file transferred to the target computer at515 d. To illustrate this in Table 600, these secondary malicious filesmay be named “AppMgmt.dll” and have a hash value of0x89C9BECFA2518DE49BC2F9BAAB42F64D, as in attributes 655 and 660, forexample.

It is important to reiterate that the attack described above andillustrated in FIG. 5 and FIG. 6 is provided merely as an example, andnot as a limitation of the many applications of network environment 10.Moreover, this attack has been used to demonstrate potential operationsof network environment 10 at advanced stages of the attack, but whenused in a preferred mode of operation, network environment 10 may haveblocked the attack at an early stage or prevented it altogether. Forexample, referring again to Table 600 for details, if the IP address ofthe malicious web server (i.e., 123.69.82.21:80) had a maliciousreputation, then the user's connection at 510 c could have been blocked,even though the hash of the web browser itself was not identified as amalicious file. Moreover, once a malicious file attempts to connect to amalicious address, further activity of the file may be blocked based onits hash. Thus, for example, if the address of the C&C server (i.e.,123.69.82.26:443) has a malicious reputation, then the rasmon.dll filecan be identified as malicious when it attempts a connection to the C&Cserver. Any subsequent activity by any file having the same hash as therasmon.dll file can then be blocked completely, regardless of whether ornot it is attempting to connect to a known malicious address.

FIG. 7 is a simplified block diagram of another set of potentialoperations associated with an attack in an embodiment of networkenvironment 10. A previously unidentified file on an endhost 705attempts to connect to a server 710 at 715. In this example, the networkaddress of server 710 has previously been identified as a C&C server.Consequently, this connection may be blocked at 718 based on thereputation of this network address. Moreover, the reputation of thepreviously unidentified file on endhost 705 can be adjusted to reflectthis malicious activity, with no need to analyze the file itself, andthe file may be terminated and/or removed if necessary. At 720, the samefile on an endhost 725 attempts to connect to a server 730. In thisexample, server 730 has a network address that has not previously beenidentified as a malicious address. However, because the file now has amalicious reputation based on the prior attempt to connect to server710, this connection may also be blocked at 735, and the reputation ofserver 730 can also be adjusted to reflect malicious activity. The filemay also be terminated and/or removed from endhost 725 if necessary. At740, another file on endhost 745 attempts to connect to server 730. Inthis example, this file has no malicious reputation, but the connectionmay be blocked at 750 based on the reputation of server 730 previouslyacquired based on the attempted connection at 720. Thus, in thisembodiment, real-time correlation between file reputation and networkreputation in network environment 10 is able to block previously unknownmalware from connecting to a known C&C server, but in real-time can alsoprevent previously unknown malware from connecting to a previouslyunknown C&C server. Moreover, this embodiment of network environment 10may also provide critical forensic information about malicious attacks,allowing an administrator or analyst to determine the exact point ofentry and quickly identify compromised computers.

Note that with the examples provided above, as well as numerous otherpotential examples, interaction may be described in terms of two, three,or four network elements. However, this has been done for purposes ofclarity and example only. In certain cases, it may be easier to describeone or more of the functionalities of a given set of operations by onlyreferencing a limited number of network elements. It should beappreciated that network environment 10 is readily scalable and canaccommodate a large number of components, as well as morecomplicated/sophisticated arrangements and configurations. Accordingly,the examples provided should not limit the scope or inhibit the broadteachings of network environment 10 as potentially applied to a myriadof other architectures. Additionally, although described with referenceto particular scenarios, where a particular module, such as an analyzermodule, is provided within a network element, these modules can beprovided externally, or consolidated and/or combined in any suitablefashion. In certain instances, such modules may be provided in a singleproprietary unit.

It is also important to note that the steps in the appended diagramsillustrate only some of the possible scenarios and patterns that may beexecuted by, or within, network environment 10. Some of these steps maybe deleted or removed where appropriate, or these steps may be modifiedor changed considerably without departing from the scope of teachingsprovided herein. In addition, a number of these operations have beendescribed as being executed concurrently with, or in parallel to, one ormore additional operations. However, the timing of these operations maybe altered considerably. The preceding operational flows have beenoffered for purposes of example and discussion. Substantial flexibilityis provided by network environment 10 in that any suitable arrangements,chronologies, configurations, and timing mechanisms may be providedwithout departing from the teachings provided herein.

Numerous other changes, substitutions, variations, alterations, andmodifications may be ascertained to one skilled in the art and it isintended that the present disclosure encompass all such changes,substitutions, variations, alterations, and modifications as fallingwithin the scope of the appended claims. In order to assist the UnitedStates Patent and Trademark Office (USPTO) and, additionally, anyreaders of any patent issued on this application in interpreting theclaims appended hereto, Applicant wishes to note that the Applicant: (a)does not intend any of the appended claims to invoke paragraph six (6)of 35 U.S.C. section 112 as it exists on the date of the filing hereofunless the words “means for” or “step for” are specifically used in theparticular claims; and (b) does not intend, by any statement in thespecification, to limit this disclosure in any way that is not otherwisereflected in the appended claims.

What is claimed is:
 1. At least one non-transitory tangible mediumcomprising logic encoded therein, and when executed by one or moreprocessors the logic causes the one or more processors to: receive afirst reputation query including a first network address of a firstremote end and a first hash of a first file, the first file associatedwith a first endhost and an attempt to establish a first networkconnection to the first remote end; identify the first file as maliciousbased on determining the first network address is associated with amalicious reputation; receive a second reputation query including asecond network address of a second remote end and a second hash of asecond file, the second file associated with a second endhost and anattempt to establish a second network connection to the second remoteend; and identify the second network address as malicious based ondetermining the second hash corresponds to the first hash, wherein thesecond network address is different from the first network address. 2.The at least one non-transitory tangible medium of claim 1, wherein thelogic, when executed by the one or more processors, causes the one ormore processors to: based on identifying the first file as malicious,adjust a first file reputation associated with the first file toindicate the first file is malicious.
 3. The at least one non-transitorytangible medium of claim 1, wherein the first file is identified asmalicious without analyzing the first file.
 4. The at least onenon-transitory tangible medium of claim 1, wherein the logic, whenexecuted by the one or more processors, causes the one or moreprocessors to: based on identifying the second network address asmalicious, adjust a network address reputation associated with thesecond network address to indicate the second network address ismalicious.
 5. The at least one non-transitory tangible medium of claim4, wherein the logic, when executed by the one or more processors,causes the one or more processors to: receive a third reputation queryincluding the second network address and a third hash of a third file,the third file associated with a third endhost and an attempt toestablish a third network connection to the second remote end; andidentify the third file as malicious based on the network addressreputation of the second network address indicating the second networkaddress is malicious.
 6. The at least one non-transitory tangible mediumof claim 5, wherein a third file reputation associated with the thirdhash is unknown when the third reputation query is received.
 7. The atleast one non-transitory tangible medium of claim 5, wherein the logic,when executed by the one or more processors, causes the one or moreprocessors to: based on identifying the third file as malicious, adjusta third file reputation associated with the third file to indicate thethird file is malicious.
 8. The at least one non-transitory tangiblemedium of claim 5, wherein the third file is identified as maliciouswithout analyzing the third file.
 9. The at least one non-transitorytangible medium of claim 5, wherein the logic, when executed by the oneor more processors, causes the one or more processors to: assign areputation value to the third network connection based on the networkaddress reputation of the second network address.
 10. The at least onenon-transitory tangible medium of claim 5, wherein the first, second,and third hashes are cryptographic hashes.
 11. The at least onenon-transitory tangible medium of claim 1, wherein the logic, whenexecuted by the one or more processors, causes the one or moreprocessors to: assign a reputation value to the first network connectionbased on a first network address reputation of the first networkaddress.
 12. The at least one non-transitory tangible medium of claim 1,wherein the logic, when executed by the one or more processors, causesthe one or more processors to: assign a reputation value to the secondnetwork connection based on a first file reputation.
 13. The at leastone non-transitory tangible medium of claim 1, wherein the first andsecond network connections are each one of an inbound connection or anoutbound connection.
 14. An apparatus, the apparatus comprising: atleast one processor; and an analyzer module coupled to the at least oneprocessor, the analyzer module to: receive a first reputation queryincluding a first network address of a first remote end and a first hashof a first file, the first file associated with a first endhost and anattempt to establish a first network connection to the first remote end;identify the first file as malicious based on determining the firstnetwork address is associated with a malicious reputation; receive asecond reputation query including a second network address of a secondremote end and a second hash of a second file, the second fileassociated with a second endhost and an attempt to establish a secondnetwork connection to the second remote end; and identify the secondnetwork address as malicious based on determining the second hashcorresponds to the first hash, wherein the second network address isdifferent from the first network address.
 15. The apparatus of claim 14,wherein the analyzer module is to: based on identifying the first fileas malicious, adjust a first file reputation associated with the firstfile to indicate the first file is malicious.
 16. The apparatus of claim14, wherein the first file is identified as malicious without analyzingthe first file.
 17. The apparatus of claim 14, wherein the analyzermodule is to: based on identifying the second network address asmalicious, adjust a network address reputation associated with thesecond network address to indicate the second network address ismalicious.
 18. The apparatus of claim 17, wherein the analyzer module isto: receive a third reputation query including the second networkaddress and a third hash of a third file, the third file associated witha third endhost and an attempt to establish a third network connectionto the second remote end; and identify the third file as malicious basedon the network address reputation of the second network addressindicating the second network address is malicious.
 19. The apparatus ofclaim 18, wherein a third file reputation associated with the third hashis unknown when the third reputation query is received.
 20. Theapparatus of claim 18, wherein the analyzer module is to: based onidentifying the third file as malicious, adjust a third file reputationassociated with the third file to indicate the third file is malicious.21. The apparatus of claim 18, wherein the third file is identified asmalicious without analyzing the third file.
 22. A method fornavigational route selection, the method comprising: receiving a firstreputation query including a first network address of a first remote endand a first hash of a first file, the first file associated with a firstendhost and an attempt to establish a first network connection to thefirst remote end; identifying the first file as malicious based ondetermining the first network address is associated with a maliciousreputation; receiving a second reputation query including a secondnetwork address of a second remote end and a second hash of a secondfile, the second file associated with a second endhost and an attempt toestablish a second network connection to the second remote end; andidentifying the second network address as malicious based on determiningthe second hash corresponds to the first hash, wherein the secondnetwork address is different from the first network address.
 23. Themethod of claim 22, further comprising: receiving a third reputationquery including the second network address and a third hash of a thirdfile, the third file associated with a third endhost and an attempt toestablish a third network connection to the second remote end; andidentifying the third file as malicious based on a network addressreputation of the second network address if the network addressreputation indicates the second network address is malicious indicatingthe second network address is malicious.